First, the SP 800-128 includes a sample of the data elements that should be tracked for a change request:

• Date Prepared;
• Title of Change Request;
• Change Initiator/Project Manager;
• Change Description;
• Change Justification;
• Urgency of Change: {Scheduled/Urgent/Unscheduled};
• Personnel involved with the Change;
• Expected Security Impact of Change;
• Expected Functional Impact of Change;
• Expected Impact of Not Doing Change;
• Potential Interface/Integration Issues;
• Required Changes to Existing Applications;
• Project work plan including change implementation date, deliverables, and back-out plan; and
• Funding Required Implementing Change.

Appendix F to SP 800-128, entitled BEST PRACTICES FOR ESTABLISHING SECURE CONFIGURATIONS provides very specific industry guidance on good security configuration management practices. (the following is largely a reproduction of Appendix F, however, I have summarized what I consider to be the most significant issues and removed duplicative references to some NIST Publications.  Some personal commentary appears in red below.

Use Standards for Secure Configuration Settings. Organizations should consider available standards as the basis for establishing secure configuration settings. A source for information on configuration settings is the National Checklist Program.

• NIST SP 800-68: Guide to Securing Microsoft Windows XP Systems for IT Professionals;
• NIST SP 800-69: Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist; and
• NIST SP 800-70: National Checklist Program for IT Products-Guidelines for Checklist Users and Developers.

Centralize Policy and Standards for Configuration Settings. Where possible and appropriate, secure configurations should be developed and implemented in a top-down approach to ensure consistency across the organization. An example is the implementation of the group policy functionality, which can be used to distribute secure configuration policy in a centralized manner throughout established domains.

Tailor Secure Configurations According to System/Component Function and Role. Secure configuration settings should be tailored to the system component’s function. For example, a server acting as a Windows domain controller may require stricter auditing requirements (e.g., auditing successful and unsuccessful account logons) than a file server. A public access Web server in a DMZ may require that fewer services are running than in a Web server behind an organization’s firewall supporting an intranet.

• NIST SP 800-41: Guidelines on Firewalls and Firewall Policy (Consumer grade network routerts and wireless routers can be significant improved by using DD-WRT.  “DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems.” (See http://www.dd-wrt.com/site/index.) ;
• NIST SP 800-44: Guidelines on Securing Public Web Servers;
• NIST SP 800-45: Guidelines on Electronic Mail Security;
• NIST SP 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks (I would avoid having a wireless network connected to a e-PHI system if possible);
• NIST SP 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; (Mandatory TLS encryption is still difficult to implement, most organizations are not in a position to support this functionality on their email solution);
• NIST SP 800-95: Guide to Secure Web Services;
• NIST SP 800-123: Guide to General Server Security; and
• NIST SP 800-124: Guidelines on Cell Phone and PDA Security. (Consumer grade cell phones, PDAs, and blackberries have a number of security configurations available (e.g. timeout, password protection, etc.) that can help to secure these devices).

Eliminate Unnecessary Ports, Services, and Protocols (Least Functionality). Devices should be configured to allow only the necessary ports, protocols, and services in accordance with functional needs and the risk tolerance in the organization. Open ports and available protocols and services are an inviting target for attackers, especially if there are known vulnerabilities associated with a given port, protocol, or service. Sources such as the NIST National Vulnerability Database (NVD) are available for highlighting vulnerabilities in various system components.

Limit the Use of Remote Connections. While connecting remotely to information systems allows more flexibility in how users and system administrators accomplish their work, it also opens an avenue of attack popular with hackers. Use of remote connections should be limited to only those absolutely necessary for mission accomplishment.

• NIST SP 800-46: Guide to Enterprise Telework and Remote Access Security;
• NIST SP 800-47: Security Guide for Interconnecting Information Technology Systems; and
• NIST SP 800-77: Guide to IPsec VPNs.

Develop Strong Password Policies. Passwords are a common mechanism for authenticating the identity of users and if they are poorly implemented or used, an attacker can undermine the best security configuration. Organizations should stipulate password policies and related requirements with the strength appropriate for protecting access to the organization’s assets.

Implement Endpoint Protection Platforms (EPPs). Personal computers are a fundamental part of any organization’s information system. They are an important source of connecting end users to networks and information systems, and are also a major source of vulnerabilities and a frequent target of attackers looking to penetrate a network. User behavior is difficult to control and hard to predict, and user actions, whether it is clicking on a link that executes malware or changing a security setting to improve the usability of their PC, frequently allow exploitation of vulnerabilities. Commercial vendors offer a variety of products to improve security at the “endpoints” of a network. These EPPs include:

• Anti-malware. Anti-malware applications should be a part of the standard secure configuration for system components. Anti-malware software employs a wide range of signatures and detection schemes, automatically updates signatures, disallows modification by users, run scans on a frequently scheduled basis, have an auto-protect feature set to scan automatically when a user action is performed (e.g., opening or copying a file), and may provide protection from zero-day attacks. For platforms for which anti-malware software is not available, other forms of anti-malware such as rootkit detectors may be employed.
• Personal Firewalls. Personal firewalls provide a wide range of protection for host machines including restriction on ports and services, control against malicious programs executing on the host, control of removable devices such as USB devices, and auditing and logging capability.
• Host-based Intrusion Detection and Prevention System.  Host-based IDPS is an application that monitors the characteristics of a single host and the events occurring within that host to identify and stop suspicious activity.
• Restrict the use of mobile code. Organizations should be cautious in allowing the use of “mobile code” such as ActiveX, Java, and JavaScript. An attacker can easily attach a script to a URL in a Web page or email that, when clicked, will execute malicious code within the computer’s browser.

NIST SP 800-28: Guidelines on Active Content and Mobile Code.

Use Cryptography.  In many systems, especially those processing, storing, or transmitting information that is moderate impact or higher for confidentiality, cryptography should be considered as a part of an information system’s secure configuration. There are a variety of places to implement cryptography to protect data including individual file encryption, full disk encryption, Virtual Private Network connections, etc.

NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices.

Develop a Patch Management Process. A robust patch management process is important in reducing vulnerabilities in an information system. As patches greatly impact the secure configuration of an information system, the patch management process should be integrated into SCM at a number of points within the four SCM phases including:

• Performing security impact analysis of patches;
• Testing and approving patches as part of the configuration change control process;
• Updating baseline configurations to include current patch level;
• Assessing patches to ensure they were implemented properly; and
• Monitoring systems/components for current patch status.

NIST SP 800-40: Creating a Patch and Vulnerability Program.

Control Software Installation. The installation of software is a point where many vulnerabilities are introduced into an organization’s information system. Malware or insecure software can give attackers easy accessto an organization’s otherwise tightly protected network. Although the simplest approach is to lock down computers and manage software installation centrally, this is not always a viable option in many organizations. Other methods for controlling the installation of software include:

• Whitelisting – All software is checked against a list approved by the organization;
• Checksums – All software is checked to make sure the code has not changed;
• Certificate – Only software with signed certificates from a trusted vendor is used;
• Path or domain – Only software within a directory or domain can be installed; and
• File extension – Software with certain file extensions such as .bat cannot be installed.

Related Blogs

• The Internet Public Libraray With a Useful Guide to Photo Sharing …
• PREPRINT: Free Access: “Use of Web Resources in the Journal …
• Israel's Policy and the idea of A One State solution
• Researchers Map Multi-Network Cybercrime Infrastructure — Krebs on …
• Alan Taub Elected Vice Chair of NIST Advisory Group | Japanese …

          

NIST announced the publication of Initial Public Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems. originally appeared on Law Blog 2.0 on March 19, 2010.

Identity Theft and Consumer Protect Laws.

One of the most common (and high risk) user installed software found on the enterprise desktop computer is P2P[i] file-sharing software.  This software can be detected with networking scanning software like Nessus.[ii]

Unlike, other software, P2P file-sharing software is very effective at circumventing an organization’s security perimeter.  In most organizations measures in-place to prevent users from installing software are easily circumvented: (1) by installing and running the device from a USB key, (2) using the local Administrator account to install the software because the local Administrator account has not been set after the last re-image or the local administrator account password is known to users, or (3) IT installs the software at the request of a user.  Recently, the Department of Health and Human Services (“HHS “)has been very proactive in getting the message out that portable media, laptops, and other similar devices that contain electronic protected health information (e-PHI) must be encrypted.  However, despite numerous alleged disclosures of e-PHI on P2P networks, HHS is failing to inform patients, covered entities, and business associates of covered entities about the risks of peer-to-peer (P2P) file sharing and the inadvertent sharing of documents containing e-PHI.

Last Summer P2P programs reportedly inadvertently shared information about presidential motorcade routes, a Secret Service safe house for former first lady Laura Bush, and personal information of more than 220,000 soldiers and hospital patients.[iii]

In February of 2009, a researcher at Dartmouth College using four P2P networks — Gnutella, FastTrack, Aries and eDonkey —collected 3,328 files.  The researcher located 161 unique files contained sensitive information that could be used to commit medical or financial identity theft. (See Johnson, M. Eric, Data Hemorrhages in the Health-Care Sector, Center for Digital Strategies, Tuck School of Business, Dartmouth College, Hanover NH 03755)(available at http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf)(see also http://www.wired.com/threatlevel/2009/03/p2p-networks-le/).

On March 5, 2010, a research paper entitled The Inadvertent Disclosure of Personal Health Information Through Peer-To-Peer File Sharing Programs confirmed the Dartmouth Study.  This study found that:

Approximately 0.4% of Canadian IP addresses had PHI, as did 0.5% of US IP addresses. There was more disclosure of financial information, at 1.7% of Canadian IP addresses and 4.7% of US IP addresses. An analysis of search terms used in these file sharing networks showed that a small percentage of the terms would return PHI and PFI files (ie, there are people successfully searching for PFI and PHI on the peer-to-peer file sharing networks).

(See J Am Med Inform Assoc 2010;17:148e158. doi:10.1136/jamia.2009.000232)(article available at http://jamia.bmj.com/content/17/2/148.short).  Additional examples and case studies of various types of disclosures are available within a web only appendix available at http://jamia.bmj.com/content/17/2/148/suppl/DC1.

Legislators have proposed at least one Bill HR 1319 (December 9, 2009) to limit the undisclosed sharing of files without a user’s consent. (HR 1319 is entitled “AN ACT To prevent the inadvertent disclosure of information on a computer through certain ‘‘peer-to-peer’’ file sharing programs without first providing notice and obtaining consent from an owner or authorized user of the computer” and is available at http://www.govtrack.us/congress/bill.xpd?bill=h111-1319).  With the prospect of legislation requiring P2P software vendors to educate users, control network content, and require other family friendly features – steps are being taken by mainstream P2P file sharing companies to inform users how to properly configure their software.  In addition, some companies have re-designed their products with default configurations that may in some circumstances share less information of a sensitive nature.  (See http://www.limewire.com/legal/safety).

The FTC has been proactive about informing consumers and companies of the risks of P2P file-sharing to their personal information.  In late February (2010) the FTC sent out warning letters to more than 100 companies highlighting concerns about personal information of consumers and/or employees being found on file-sharing networks. The FTC requested that aforementioned companies review internal security procedures and the security procedures of their third party service providers and/or business associates.  The FTC also requested that companies identify affected individuals and assess whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws (See Widespread Data Breaches Uncovered by FTC Probe FTC Warns of Improper Release of Sensitive Consumer Data on P2P File-Sharing Networks, FTC Press Release dated February 22^nd, 2010, available at http://www.ftc.gov/opa/2010/02/p2palert.shtm).

The FTC also opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks.  Significantly, the failure to prevent sensitive information from being shared on P2P networks potentially violates the Gramm-Leach-Bliley Act (which includes provisions to protect consumers’ personal financial information held by financial institutions) and/or Section 5 of the FTC Act.  Section 5 of the FTC Act prohibits “unfair methods of competition,” and was amended in 1938 to prohibit “unfair or deceptive acts or practices”.  Recent enforcement actions by the FTC relating to privacy and data security are available at www.ftc.gov/privacy/privacyinitiatives/ promises_enf.html.

The FTC recommends that Companies:

• Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved;
• Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information;
• Use appropriate file-naming conventions;
• Monitor your network to detect unapproved P2P file sharing programs;
• Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls; and
• Train employees and others who access your network about the security risks inherent.

(See P2P FIlesharing , available at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus64.pdf ; see also Protecting PERSONAL INFORMATION FEDERAL TRADE COMMISSION A Guide for Business, available at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf.)

Note, the FTC publication entitled Protecting PERSONAL INFORMATION FEDERAL TRADE COMMISSION A Guide for Business is well written and is available for republication.

To secure the personal information stored on one’s computer, the FTC recommends:

• Avoid Changes to Default Settings.  Any changes you make to the P2P software’s default settings during installation could put data at risk.  One could inadvertently share information on their hard drive: like your tax returns, email messages, medical records, photos, or other personal documents;

• System Maintenance. Some file-sharing programs may install malware that monitors a user’s computer use and then sends that data to third parties;

• Close your connection. In many instances, closing the file-sharing program window does not actually close your connection to the network. That allows file-sharing to continue and could increase your security risk; and

• Avoid Using an Administrator Account to run P2P Software. Administrator accounts permit installation of software.  Avoiding the use of an account that would permit the installation of software can help protect against malware.

(See P2P File-Sharing: Evaluate the Risks)

An example of a P2P file sharing policy is available at http://www.k-state.edu/policies/ppm/3490.html.

Related Links

http://www.ftc.gov/infosecurity

http://www.OnGuardOnline.gov

http://www.sans.org/top20

http://www.us-cert.gov

Comparison of Feature of Populat P2P Clients

Not all distributed file sharing protocols are necessarily bad, for example Bittorent, another popular file sharing protocol, is invaluable in distributing large files.  The installation disks for the open source operating system Linux may be as large as 4 gigabytes multiple users downloading this large file could limit the bandwidth of a major university without protocols like Bittorent.  This protocol makes many small data requests over different TCP connections to different machines, while classic downloading is made via a single TCP connection to a single machine.  Many P2P file sharing software packages use a simple http connection for downloading data from a host computer once a host is located with the user’s desired content.  Unlike other P2P software, someone must “seed” a Bittorent download with a small file called a “torrent” that is used as a pointer for the file but the host of the torrent does not serve as the primary source of the data being downloaded by the end user.

[ii] (See http://www.nessus.org/whitepapers/reliability_and_uniqueness_of_nessus.pdf.)

[iii] (See http://www.washingtonpost.com/wp-dyn/content/article/2009/07/29/AR2009072902273_pf.html; http://voices.washingtonpost.com/securityfix/2009/07/report_locations_of_all_us_nuc.html; http://www.computerworld.com/s/article/9136053/Details_on_presidential_motorcades_safe_house_for_First_Family_leak_via_P2P?taxonomyId=17; http://www.smh.com.au/technology/technology-news/topsecret-obama-safe-house-leaked-on-limewire-20090730-e267.html; http://www.nextgov.com/nextgov/ng_20090729_2566.php?oref=topnews; http://www.nextgov.com/nextgov/ng_20090729_3555.php?oref=topnews; http://www.reuters.com/article/technologyNews/idUSTRE56S4T420090729; http://www.internetnews.com/government/article.php/3832556/Data+of+Soldiers+Hospital+Patients+Found+on+P2P.htm.)

Related Blogs

• Legal Information Institute: Sunlight Foundation Proposes Public …
• Wow! Construction Complete! C-SPAN Puts Complete Archive (23 years …
• Privacy Lives » Blog Archive » Federal News Radio: FTC looks at …
• File-Sharing and Link Sites Declared Legal in Spain | TorrentFreak
• Unfinished business « Though Cowards Flinch

          

P2P Leaks of Protected Health Information –HIPAA Covered Entities and Business Associates Should Have a P2P Software Policy Either Prohibiting the Use of P2P Software or Instructing Users on the Safe Use of P2P Software. originally appeared on Law Blog 2.0 on March 16, 2010.

Recent HHS Guidance has emphasized key areas of importance related to a covered entity’s security assessment-

This guidance document has been prepared with the main objective of reinforcing some of the ways a covered entity may protect EPHI when it is accessed or used outside of the organization’s physical purview. In so doing, this document sets forth strategies that may be reasonable and appropriate for organizations that conduct some of their business activities through (1) the use of portable media/devices (such as USB flash drives) that store EPHI and (2) offsite access or transport of EPHI via laptops, personal digital assistants (PDAs), home computers or other non corporate equipment.

The Centers for Medicare & Medicaid Services (CMS) has delegated authority to enforce the HIPAA Security Standards, and may rely upon this guidance document in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity and availability of EPHI, and it may be given deference in any administrative hearing pursuant to 45 C.F.R. § 160.508(c)(1), the HIPAA Enforcement Rule.

The kinds of devices and tools about which there is growing concern because of their vulnerability, include the following examples: laptops; home-based personal computers; PDAs and Smart Phones; hotel, library or other public workstations and Wireless Access Points (WAPs); USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access Devices (including security hardware).

In general, covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity’s business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA Privacy Rule.

(see http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf).

Special publication 800-53, Revision 3 includes: (1) a simplified, six-step Risk Management Framework; (2) additional security controls and enhancements for advanced cyber threats; (3) recommendations for prioritizing security controls during implementation or deployment; (4) revised security control structure with a new references section; (5) guidance on using the Risk Management Framework for legacy information systems and for external information system services providers; (6) Updates to security control baselines based on current threat information and cyber attacks; (7) Organization-level security controls for managing information security programs; and (8) Guidance on the management of common controls within organizations.  Table 1 below maps HIPAA Security implementation specifications to NIST Security controls.  The NIST taxonomy of controls, as mapped by NIST SP 800-66, is invaluable in understanding the technical details of how to implement HIPAA compliant safeguards and what additional safeguards should be evaluated.

NIST Assessment Methodology

Encryption of portable media is a key enforcement priority of the OIG.  USB flash drives and other portable media are usually put in bags, backpacks, laptop cases, jackets, trouser pockets or are left at unattended workstations.  Tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving.  Consequently USB drives are frequently misplaced.  Most HIPAA covered entities and business associates have strict management policies toward USB drives, and some companies ban them to minimize risk (by prohibiting the drives in a company acceptable use policy and/or in the operating system configuration).

Table 1 – Data by Type Copied by Employees

Other findings include:

1. 53 percent of respondents downloaded information onto a CD or DVD, 42 percent onto a USB drive and 38 percent sent attachments to a personal e-mail account;
2. 79 percent of respondents took data without an employer’s permission;
3. 82 percent of respondents said their employers did not perform an audit or review of paper or electronic documents before the respondent left his/her job; and
4. 24 percent of respondents had access to their employer’s computer system or network after their departure from the company.

(see also State of the Endpoint IT Security & IT Operations Practitioners in the United States, United Kingdom, Australia, New Zealand & Germany sponsored by Lumension; Independently conducted by Ponemon Institute LLC; Publication Date: November 30, 2009)(avaliable at http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Lumension%20State%20of%20the%20Endpoint%20FINAL%203.pdf).

Organizational Structure

• Which individual(s) oversee HIPAA privacy and security issues — state their names and titles of the: (1) the private officer; (2) the security officer; and (3) principle contact in the event of a security incident.
• Do you have written policy and/or a job description for the privacy, security and security incident response contact person?
• Does the organization conduct internal monitoring regarding HIPAA compliance through: (1)  an internal privacy security team; (2) an external third-party; (3) or there is no HIPAA compliance monitoring?
• Briefly describe what protected health information your organization maintains and where said information is retained (i.e. application, systems, database)?
• Does business associate have a reporting mechanism for potential privacy or security breaches?
• If a reporting mechanism exists, who is responsible for addressing potential breaches and what is the chain of command within your organization?
• Please specify any reported security breaches to a covered entity, government entity, and/or consumers in the last 3 years?
• Does the business associate have an Information Technology (IT) group oversee risk management related to PHI stored in business associate systems?
• Please provide a list of individuals responsible for such oversight activity along with their credentials/certifications.
• What responsibilities do individuals in your legal department have related to HIPAA compliance?
• Does your organization have a business continuity plan to address preserving access to and integrity of PHI in the event of a disaster or other catastrophic event?

Administrative Structure

• What policies (and procedures) are available specifically addressing HIPAA privacy and security rules and compliance including the following:
  1. Risk Management;
  2. Risk Assessment and Application Criticality Analysis (FIPS 200);
  3. Physical Security;
  4. Encryption;
  5. Remote Access;
  6. Media and Document Destruction;
  7. Change Control/ Patch Management;
  8. Acceptable Use (Email, Portable Media, Software, Company Resources);
  9. Training and Security Reminders;
  10. Antivirus and Workstation Security;
  11. Unique User Identification;
  12. Audit and Log Monitoring;
  13. Security  Incident;
  14. Contingency and Emergency Access; and
  15. Workforce Clearance, Sanction, and Access Management.
• Who or what group within the organization is responsible for creating and updating these policies?
• When were the organization’s policies last updated?
• How often have any of these policies been updated?
• Are new employees trained to follow these policies and procedures?
• How frequently are existing employees re-trained on existing policies and procedures?
• How frequently are existing employees trained regarding updates in HIPAA rules?
• How are personnel screened in order to grant certain levels of access to PHI?
• Does the organization have a formal security incident response plan to address potential breaches of security that include at a minimum: (1) roles and responsibilities; (2) isolate affected system; (3) preserve evidence; (4) restore compromised system from known safe backups; and (5) post incident response report including identification of lessons learned and other mitigating controls may be indicated based on the incident?
• Does the organization require business partners to comply with its privacy and security policies?
• Does organization ever send PHI via email or ftp (file transfer protocol)?
• Does the organization have policy or procedures related to de-identifying PHI for use in advertising, marketing, educational programs?
• What policies and procedures exist regarding notification in the event of a breach?

Physical Structure

• How is PHI stored within the organization (i.e. fixed server databases/hard drives versus removable media such as backup tapes)?
• Does your company of a physical security plan?
• What types of controls exists to limit access into buildings containing servers that host PHI?
• What types of controls exists to limit access within buildings to rooms housing servers containing PHI?
• Who has access to facilities containing PHI, and what process exists to grant these individuals access?
• What environmental controls exist to protect PHI from destruction?
• To the extent PHI is physically maintained, does the organization employ shredders or other destroying devices for confidential PHI containing documents?  Do you train and document the training of employees on the use of shredders?

Technical Structure

• What types of security and encryption protect portable media containing PHI? (Portable media should always be encrypted.)
• What types of security exists to protect PHI as it flows to and is accessed at remote workstations?
• Describe the data flow “life-cycle” of PHI through the organization’s information systems.  (This should cover hosting services, software development, quality assurance, other issues.)
• Does the organization have routine maintenance protocols that backup, delete, relocate, or otherwise impact data containing PHI?
• What types of audit mechanisms exist to track access and transmission of PHI by internal or external users?  Typically audit logs include a timestamp, a unique user account, data accessed/modified/created, and the location of the user.
• How often are these audit mechanisms used to detect abnormal use?
• Do automatic triggers exist to notify the organization of abnormal PHI use?
• Does the organization prevent browsers with un-patched security vulnerabilities from accessing the company’s information system?

Compliance History and Future Developments

• Has the organization had any security incidents in the past 5 years?  How many and when?
• Has business associate received any negative press related to privacy or security issues in the past 5 years?  How many and when?
• What if any HIPAA security and privacy litigation has business associate been party to in the past 5 years?  Describe the timeline, the circumstances, and the outcome.
• Has business associate conducted risk assessments and vulnerability assessments through independent third parties?  When was the last assessment done?
• Has business associate developed its business off-shore?  If so, are the off-shore business associate facilities ISO 17799 certified?
• Does business associate have new technologies on the horizon that involve PHI, and what if any safeguards are contemplated to protect this data?

Key Terms

Advanced Encryption Standard (AES) – specifies the FIPS 140-2 approved cryptographic algorithm that can be used to protect electronic data.

Business Associate – a third party that acts on behalf of a covered entity by performing a function or activity that HIPAA’s Administrative Simplification rules regulate or that provides certain services (e.g., legal or consulting services) that involve the use or disclosure of individually identifiable health information.

Covered Entity – a health plans, health care clearinghouses, health care providers, and endorsed sponsors of the Medicare prescription drug discount care that conduct covered transactions electronically.  Covered entities are subject to HIPAA’s Administrative Simplification mandates.

Encryption - Cryptographic transformation of data (called “plaintext”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption”, which is a transformation that restores encrypted data to its original state.

HIPAA (The Health Insurance Portability and Accountability Act) – mandates the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.

NIST (National Institute of Standards) - an agency in the Technology Administration that makes measurements and sets standards as needed by industry or government programs.

Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This includes any part of a patient’s medical record, diagnosis,  and/or payment history.

PHI identifiers include:

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
3. Dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers(SSN);
8. Medical record numbers;
9. Health plan beneficiary numbers;

10.  Account numbers;

11.  Certificate/license numbers;

12.  Vehicle identifiers and serial numbers, including license plate numbers;

13.  Device identifiers and serial numbers;

14.  Web Universal Resource Locators (URLs);

15.  Internet Protocol (IP) address numbers;

16.  Biometric identifiers, including finger, retinal and voice prints;

17.  Full face photographic images and any comparable images; and

18.  Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

Table 2 – NIST SP 800-66 HIPAA Security Compliance Guidance

Related Blogs

• The collapse of China's English-teaching schools » The Peking Duck
• Irish Mr. English : Unleashed Online
• Idea Lab: Full English Breakfast from Scratch
• Language Log » Chinese Endangered by English?
• Toy Tokyo x Secret Base x Ron English X-Ray McSupersized Figure …

          

Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. originally appeared on Law Blog 2.0 on November 29, 2009.

HHS Security Breach Notice Regulations - Update

A series of privacy advocates have expressed displeasure with the HHS “harm standard” as articulated in the recent Covered Entity .  However, I believe the “harm standard” is reasonable and appropriate.  One recent article is available here (published by computer world): HHS guts health-care breach notification law, groups warn Posted using ShareThis

I am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates.  Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2.*  In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive information, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers.

*I am not certain on this, but I believe the most problematic state is California.  California includes health information within the definition of personal information, California references FIPS 140-2, California is an acquisition based state, and guidance documents issued by the state are extremely draconian.

Second, implementing a FIPS 140-2 approved encryption system is an expensive and complicated process — it seems reasonable that HHS should temper FIPS 140-2 with a harm standard analysis.  As many covered entities have started to dissect the requirements of what would constitute acceptably encrypted data under the HITECH act they have quickly realized that process of implementing what is largely a FISMA (Federal Government/ Military) based encryption standard presents many problems.  FIPS approved algorithms and processes require precise configuration; such systems are designed to fail closed.  Failing closed means denying access — this could be a good thing with money but a bad thing when dealing with clinical data in an emergency situation.  Security controls in the health care industry are a delicate balance of confidentiality, integrity and availability. (http://law2point0.com/wordpress/2009/09/15/50-state-security-breach-notice-law/).  Pushing out government grade security safeguards too fast could create serious issues in the event a provider needs immediate access to patient records but hospital A cannot communicate with hospital B due to a conflicting encryption schema.

Without the harm standard, covered entities would be forced into over-reporting incidents — over-reporting can be just as damaging as not reporting any security incidents.  There are two studies that help to put the “harm” or risk-based standard for security breach reporting in an appropriate (real-world) context.
The first study is a report prepared by the General Accounting Office (GAO) from 2007 entitled PERSONAL INFORMATION — Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (the report is available for free at http://www.gao.gov/new.items/d07737.pdf).  This report evaluated the 24 largest breaches reported in the media from January 2000 through June 2005.  The study found that:

1. In only three instances was there evidence of fraud on existing accounts and in only one instance of the three identified cases did the GAO find evidence of unauthorized creation of a new account;
2. For 18 of the breaches, no clear evidence was uncovered linking the breach to identity theft; and
3. In the remaining two cases there was insufficient information to make a determination.

A second article, by S. Romanosky, R. Telang, and A. Acquisti, entitled Do Data Breach Disclosure Laws Reduce Identity Theft? (available for free at  http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926) summarizes the debate surrounding security breach notification laws and their impact.  The authors’ analyses reveal a modest effect of security breach disclosure laws in reducing identity theft rates by approximately 2%.  However, this article also notes that over-reporting has many negative consequences — including unnecessary costs and desensitizing consumers such that when a real incident that they should take notice of is ignored.

The FIPS-140-2 standard is a Federal Standard and the guidance cited by HHS (OMB Memorandum M-07-16 is also a federal standard (available at http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf)).  The OMB the guidance and the FIPS 140-2 are both compoennts of the federal government program to protect against harm resulting from a security breach.  It seems logical if that we are following a FISMA structure that OMB Memorandum M-07-16 should be considered when assessing the scope and consequences of a security breach.

The harm standard may result in fewer notices, in some states where there are exceptions for HIPAA covered entities for some provisions of state reporting requirements, but absent an applicable exception an entity could still be bound by the state standard and the federal standard.  Many states are including health information within the definition of personal information; even so it is frequently the case that when health information is compromised the triggering elements for a given state’s reporting statute are present within the compromised health data.  Unfortunately, the end result will likely be a negligible  reduction in notice unless the seven states and the DC that have an acquisition based standard move to a risk based / harm based analysis.  In my opinion an acquisition based standard reaches the wrong result for both consumers and companies.  The one benefit will be that the Federal standard does provide a rational framework for entities absent other guidance that can be used to frame analysis of a security incident and what mitigation efforts are appropriate.

          

Fear Mongering or Legitimate Criticism — “HHS guts health-care breach notification law, groups warn” originally appeared on Law Blog 2.0 on September 22, 2009.

a.    Take immediate action to stop the incident from continuing or recurring.

b.    If the incident does not involve the loss of confidential information or have other serious impacts to individuals IT should repair the system, restore service, and preserve evidence of the incident.

c.    If the incident involves the loss of confidential information or critical data or has other potentially serious impacts, you should consult with your general counsel or your legal counsel for guidance under applicable federal and state laws.

e.    File a Security Incident Report including a description of the incident and documenting any actions taken thus far.

f.     Refrain from discussing the incident with others until a response plan has been formulated.

g.    Repair the system and restore service.

h.    Preserve evidence of the incident.

Did a reportable security breach occur?

Some factors to consider when evaluating a potential security breach.

When determining whether or not acquisition has actually or is reasonably believed to have occurred, on should consider, at a minimum, the following indicators:

1. The information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other devices that have the capability of containing information, or such as a misdirected electronic mail transmission received and opened by an unauthorized person containing notice-triggering information.
2. The information has been downloaded or copied (e.g., any evidence that download or copy activity has occurred which may require forensic analysis);
3. The attacker deleted security logs or otherwise “covered their tracks”;
4. The duration of exposure in relation to maintenance of system logs or in cases of an inadvertent or unauthorized Web site posting;
5. The attack vector is known for seeking and collecting personal information;
6. The information was used by an unauthorized person, such as instances of identity theft reported or fraudulent accounts opened.

Appropriate Incident Handling Procedures Are Key.

DOs

1. Immediately isolate the affected system to prevent further intrusion, release of data, damage, etc.
2. Use the telephone to communicate. Attackers may be capable of monitoring email traffic.
3. Immediately notify your security incident response team.
4. Activate all auditing software, if not already activated.
5. Preserve all pertinent system logs, e.g., firewall, router, and intrusion detection system.
6. Make backup copies of damaged or altered files, and keep these backups in a secure location.
7. Identify where the affected system resides within the network topology.
8. Identify all systems and agencies that connect to the affected system.
9. Identify the programs and processes that operate on the affected system(s), the impact of the disruption, and the maximum allowable outage time.
10. In the event the affected system is collected as evidence, make arrangements to provide for the continuity of services, i.e., prepare redundant system and obtain data back-ups. To assist with your operational recovery of the affected system(s), pre-identify the associated IP address, MAC address, Switch Port location, ports and services required, physical location of system(s), the OS, OS version, patch history, safe shut down process, and system administrator or backup.

DON’Ts

1. Delete, move, or alter files on the affected systems.
2. Contact the suspected perpetrator.
3. Conduct a forensic analysis.

Other Considerations

1. Collect information for each server, router, switch, and Data Service Unit (DSU) including:
   • IP address
   • Media Access Control (MAC) address
   • Switch Port location (switch name and port number)
   • Port assignment
   • Ports and services are required
   • Statement that all other unneeded ports and services are closed and/or removed
   • Responsible system administrator and backup
   • Physical location of server
   • Physical security implemented
   • Emergency contact information (both technical and user management)
   • OS/Version/Patch history
   • Systems supported, impact of outage, and maximum allowable outage (MAO)
   • Shutdown script (if applicable)
   • Recovery process
2. Identify all external connections, assess the need for the connections, the security risk to each connection, and any recommended safeguards or strategies.
3. Provided an adequate security message and warning banner on your system.
4. Implement a keystroke monitoring program.
5. Does personal information reside on, or is it transmitted through the affected system (as defined by federal and/or state security breach notification statutes)?

Steps to Minimize Potential Liability

1. Review physical and electronic access by employees and investigate abnormal activity in ALL computing environments.
2. Review system administrators, field accounts, and special access rights for appropriate access levels.
3. Ensure that systems are always backed up and the data is securely placed in an offsite location. Periodically conduct data restore tests.
4. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored. In addition, schedule routine virus scans on servers and desktops.
5. Remove sensitive information from websites.
6. Limit the size and manage the type of email attachments that can be received (certain systems allow you to disable executable files).
7. Keep the IT Operational Recovery Plan (ORP) and Business Continuity Plan (BCP) up-to-date, tested, and ready for implementation.
8. Establish security accountability for any and all users at appropriate levels.
9. Improve security on access to critical assets and facilities with technology environments.
10. Remove unnecessary services on routers, ports, servers, and network devices.
11. Trace or monitor the necessary services.
12. Designate an Information Security Officer (ISO) who shall report to the Director of the department or designee. The ISO shall not report to the Chief Information Officer (CIO).
13. Continuously educate management on the priority of security and the security risks associated with Information Technology.
14. Install warning banners at the login process for access to all state systems and applications.
15. Increase user awareness in security by continuously enhancing technology use policy such as “non-personal use of email.”
16. Verify that software updates and patches are continuously installed on a timely basis to operating systems and applications. Be wary of standard software installations. These installations often include services or features which you do not use and do not update.
17. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored.
18. Improve or remove user accounts with weak passwords, default or built-in passwords, old passwords, or no passwords. All accounts must have passwords and passwords should be complex and difficult to guess.
19. Require use of passwords containing alpha-numeric-special character combinations. Passwords should expire after a set period of time and employ a password history to prevent repeated passwords.
20. Ask if you have a policy which cancels log-ins/passwords when employees leave your organization. If so, verify that the policy is enforced.
21. Implement intrusion detection, provide monitoring on critical information systems, such as maintaining system logs on write only CDs.
22. Restrict non-business use of e-mail.
23. Review your remote access procedures and policies. Who is granted access? How is it monitored? If virtual private network (VPN) access is provided, have minimum security standards been established for the remote computer? How is this verified?
24. Enforce a policy regarding Internet use (viruses such as Trojan Horses can be introduced by visiting websites).
25. Restrict use of chat room software, AOL Instant Messenger, IRC Chat, ICQ Chat, (viruses can be introduced by visiting chat rooms).
26. Maintain a firewall between your system and any untrusted system (Internet connection).

Recommended Resources

NIST Special Publication 800-61 (Rev. 1)(Mar 2008    ) Computer Security Incident Handling Guide (available at http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf).
NIST Special Publication 800-86(Aug 2006) Guide to Integrating Forensic Techniques into Incident Response (available at http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf).
NIST Special Publication 800-83(Nov 2005) Guide to Malware Incident Prevention and Handling (available at http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf).

          

Evaluating Secutiy Incidents — Security Incident DOs and DON’Ts originally appeared on Law Blog 2.0 on September 8, 2009.